DSA-2020-281: Dell Wyse ThinOS 8.6 Security Update for Insecure Default Configuration Vulnerabilities

As more and more articles popping up about the “security issue” I thought it would be good to give you some insights about it.

Prof. Gil David and Elad Luz of CyberMDX reported two vulnerabilities (CVE-2020-29491 und CVE-2020-29492) to Dell some days ago and Dell took immediate action by releasing ThinOS 8.6 MR8 which fixes this vulnerability.

So far so good. However, is this really such a big security issue? Should you hurry and update all clients to be safe again?

This depends on how you are managing your ThinOS clients. If you are still using a standard FTP or HTTP server with anonymous access and read/write permissions then the clear answer is YES. Run boy, run!

But, if you are using any kind of SSL encryption, for example, HTTPS protocol, without write permissions to the WNOS share then you are safe.
The same applies if you are already using Wyse Management Suite (WMS) for managing your Thin Clients.

Conclusion: In my opinion, this is a valid security issue to point on. However, Dell never recommended using plain FTP with anonymous access and full permission. Every administrator should know that this would open all doors wide open for every hacker.
Therefore, they recommend for a long time already to rely on HTTPS or even WMS.

You can find more info on the official Dell response here https://www.dell.com/support/kbdoc/en-us/000180768/dsa-2020-281

These are the recommendations by Dell that can also be found in the above article:

  • Secure the file server environment when using Dell Wyse ThinOS 8.6 clients – Impacted ThinOS 8.6 customers can secure their environment by updating their file servers to use a secure protocol (HTTPS instead of HTTP or FTP) and by ensuring file servers are set to read-only access. 
  • Deploy Dell Wyse Management Suite – Impacted ThinOS 8.6 customers can use Wyse Management Suite instead of a file server for imaging and device configuration. Wyse Management Suite communications enforce HTTPS protocol and all configurations are stored in a secure server database instead of editable configuration files.
  • Deploy Dell Wyse Management Suite with ThinOS 9 – In addition to deploying Wyse Management Suite, customers with eligible Wyse clients can update their operating system to ThinOS 9 free of charge. ThinOS 9 clients do not support file server configuration, and thus this exploit does not apply to Wyse clients running ThinOS 9.